Closed
Description
I'm a user of the actual actions in codeql-action: in other words I have uses-lines like this in my workflows:
uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4
I like to know what code I'm running in my CI so I use hashes corresponding to releases and let dependabot update them. codeql-action releases are quite difficult to understand. As an example I currently have a dependabot PR that wants to update from codeql-action 2.3.6 to 2.13.4:
- Last update I have seen was 2.3.6 -- what happened in between?
- why am I getting an update to a release that your release page considers a "pre-release"
- why are the releases on the release page titled "CodeQL Bundle" when I'm looking at the "codeql-action" project and I'm not trying to use or update a "bundle"?
- why does changelog only list changes up to 2.3.6?
🤷
I'm sure there is a logic here and some of these versions refer to the software bundle and some refer to the actions themselves... but I can't understand this logic based on what dependabot shows me.
Metadata
Metadata
Assignees
Labels
No labels